This topic describes how to create an instance RAM role, attach a policy to an instance RAM role, and attach an instance RAM role to an Elastic Compute Service (ECS) instance by calling API operations.

Prerequisites

  • The ECS instance to which you want to attach an instance RAM role resides in a virtual private cloud (VPC).
  • If you attached an instance RAM role to an ECS instance and want to access the APIs of other Alibaba Cloud services from applications that are deployed on the instance, you must obtain a temporary authorization token for the instance RAM role by using the instance metadata. For more information, see Obtain a temporary authorization token.

Procedure

Step 1: Create an instance RAM role

Call the CreateRole operation to create an instance RAM role.

Set the RoleName parameter. In this example, the parameter is set to EcsRamRoleDocumentTesting.

Set the AssumeRolePolicyDocument parameter based on the following policy:
{
     "Statement": [
     {
         "Action": "sts:AssumeRole",
         "Effect": "Allow",
         "Principal": {
         "Service": [
         "ecs.aliyuncs.com"
         ]
         }
     }
     ],
     "Version": "1"
 }

Step 2: Attach a policy to an instance RAM role

Note An ECS instance can have only one instance RAM role attached.
  1. Call the CreatePolicy operation to create a policy.
    Take note of the following items:
    • Set the PolicyName parameter. For example, set the parameter to EcsRamRoleDocumentTestingPolicy.
    • Set the PolicyDocument parameter based on the following policy:
      {
           "Statement": [
               {
               "Action": [
                   "oss:Get*",
                   "oss:List*"
               ],
               "Effect": "Allow",
               "Resource": "*"
               }
           ],
           "Version": "1"
       }
  2. Call the AttachPolicyToRole operation to attach the policy to an instance RAM role.
    Take note of the following items:
    • Set the PolicyType parameter to Custom.
    • Set the PolicyName parameter. For example, set the parameter to EcsRamRoleDocumentTestingPolicy.
    • Set the RoleName parameter. For example, set the parameter to EcsRamRoleDocumentTesting.

Step 3: Attach an instance RAM role to an ECS instance

Call the AttachInstanceRamRole operation to attach an instance RAM role to an ECS instance.

Take note of the following items:
  • Set the RegionId and InstanceIds parameters to specify an ECS instance.
  • Set the RamRoleName parameter. For example, set the parameter to EcsRamRoleDocumentTesting.

Step 4: (Optional) Detach an instance RAM role from an ECS instance

Call the DettachInstanceRamRole operation to detach an instance RAM role from an ECS instance.

Take note of the following items:
  • Set the RegionId and InstanceIds parameters to specify the ECS instance.
  • Set the RamRoleName parameter. For example, set the parameter to EcsRamRoleDocumentTesting.

Step 5: (Optional) Obtain a temporary authorization token

You can obtain a temporary authorization token for the instance RAM role. The token is automatically updated on a regular basis. You can use the token to execute the permissions and use the resources of the instance RAM role. You can perform the following operations:

Query the temporary authorization token of the instance RAM role. For example, the RAM role is named EcsRamRoleDocumentTesting.
  • For a Linux instance, run the curl http://100.100.100.200/latest/meta-data/Ram/security-credentials/EcsRamRoleDocumentTesting command.
  • For a Windows instance, see Overview of ECS instance metadata for information about how to query the temporary authorization token of the instance RAM role.
Obtain the temporary authorization token. A command output similar to the following one is returned:
{
"AccessKeyId" : "XXXXXXXXX",
"AccessKeySecret" : "XXXXXXXXX",
"Expiration" : "2017-11-01T05:20:01Z",
"SecurityToken" : "XXXXXXXXX",
"LastUpdated" : "2017-10-31T23:20:01Z",
"Code" : "Success"
}

Step 6: (Optional) Grant a RAM user the permissions to use an instance RAM role

Note If you want a RAM user to use an instance RAM role, you must grant the RAM user the PassRole permission on the instance RAM role. If the RAM user is not granted the PassRole permission, the RAM user cannot execute the permissions that are specified in the role policies.
  1. Log on to the RAM console.
  2. Grant a RAM user the permissions to use the instance RAM role. For more information, see Grant permissions to the RAM user.
    {
            "Version": "2016-10-17",
            "Statement": [
                {
                "Effect": "Allow",
                "Action": [
                    "ecs: [ECS RAM Action]",
                    "ecs: CreateInstance",
                    "ecs: AttachInstanceRamRole",
                    "ecs: DetachInstanceRAMRole"
                ],
                "Resource": "*"
                },
                {
            "Effect": "Allow",
            "Action": "ram:PassRole",
            "Resource": "*"
                }
            ]
    }

    [ECS RAM Action] specifies the permissions that can be granted to the RAM user. For more information, see Authentication rules